[Oisf-users] Question about thresholds
Carlos Lopez
clopmz at outlook.com
Tue Oct 2 13:49:32 UTC 2018
Thanks Michal .. And is it possible to disable all alerts from a specific IP address? for example:
suppress gen_id 0, sig_id 0, track by_src, ip 192.168.1.1
Regards,
C. L. Martinez
________________________________________
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: 02 October 2018 13:39
To: Carlos Lopez
Cc: Open Information Security Foundation
Subject: Re: [Oisf-users] Question about thresholds
A real world example that seems to work here
suppress gen_id 1, sig_id 2002027, track by_dst, ip [10.22.22.0/24,10.22.11.0/24,2620:1111:1111:1111::/64<http: 10.22.22.0="" 24,10.22.11.0="" 24,2620:1111:1111:1111::="" 64="">]
On Tue, Oct 2, 2018 at 1:18 PM Carlos Lopez <clopmz at outlook.com<mailto:clopmz at outlook.com>> wrote:
Hi all,
Maybe it is a stupid question, but is it not possible to configure a CIDR network to supress some alerts via threshold.conf?, for example:
suppress gen_id 1, sig_id 2101201, track by_src, ip 192.168.1.0/24<http: 192.168.1.0="" 24="">
If not, what can be the best strategy to accomplish this?
Regards,
C. L. Martinez
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
</mailto:oisf-users at openinfosecfoundation.org></http:></clopmz at outlook.com<mailto:clopmz at outlook.com></http:></michalpurzynski1 at gmail.com>
More information about the Oisf-users
mailing list